From: Sam Hartman <hartmans@debian.org>
Date: Mon, 11 Sep 2023 14:00:42 -0600
Subject: _pam_wheel_getlogin_considered_harmful

Patch for Debian bug #163787 et al

Always use the process uid, not getlogin(), to identify an applicant in
pam_wheel; utmp may be wrong or may have no entry at all in the case of
an xterm

Authors: Ben Collins <bcollins@debian.org>

Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net>
---
 modules/pam_wheel/pam_wheel.8.xml | 17 +--------------
 modules/pam_wheel/pam_wheel.c     | 45 ++++++++-------------------------------
 2 files changed, 10 insertions(+), 52 deletions(-)

diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml
index af0fd61..b42e27d 100644
--- a/modules/pam_wheel/pam_wheel.8.xml
+++ b/modules/pam_wheel/pam_wheel.8.xml
@@ -30,9 +30,6 @@
       <arg choice="opt" rep="norepeat">
 	trust
       </arg>
-      <arg choice="opt" rep="norepeat">
-	use_uid
-      </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -113,18 +110,6 @@
           </para>
         </listitem>
       </varlistentry>
-      <varlistentry>
-        <term>
-          use_uid
-        </term>
-        <listitem>
-          <para>
-            The check will be done against the real uid of the calling process,
-            instead of trying to obtain the user from the login session
-            associated with the terminal in use.
-          </para>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -237,4 +222,4 @@ su      auth     required       pam_unix.so
       </para>
   </refsect1>
 
-</refentry>
\ No newline at end of file
+</refentry>
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
index dd047af..93000ce 100644
--- a/modules/pam_wheel/pam_wheel.c
+++ b/modules/pam_wheel/pam_wheel.c
@@ -47,9 +47,8 @@
 /* argument parsing */
 
 #define PAM_DEBUG_ARG       0x0001
-#define PAM_USE_UID_ARG     0x0002
-#define PAM_TRUST_ARG       0x0004
-#define PAM_DENY_ARG        0x0010
+#define PAM_TRUST_ARG       0x0002
+#define PAM_DENY_ARG        0x0004
 #define PAM_ROOT_ONLY_ARG   0x0020
 
 static int
@@ -68,8 +67,7 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
 
           if (!strcmp(*argv,"debug"))
                ctrl |= PAM_DEBUG_ARG;
-          else if (!strcmp(*argv,"use_uid"))
-               ctrl |= PAM_USE_UID_ARG;
+          else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */
           else if (!strcmp(*argv,"trust"))
                ctrl |= PAM_TRUST_ARG;
           else if (!strcmp(*argv,"deny"))
@@ -118,39 +116,14 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
         }
     }
 
-    if (ctrl & PAM_USE_UID_ARG) {
-        tpwd = pam_modutil_getpwuid (pamh, getuid());
-        if (tpwd == NULL) {
-            if (ctrl & PAM_DEBUG_ARG) {
-                pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
-            }
-            return PAM_SERVICE_ERR;
-        }
-        fromsu = tpwd->pw_name;
-    } else {
-        fromsu = pam_modutil_getlogin(pamh);
-
-        /* if getlogin fails try a fallback to PAM_RUSER */
-        if (fromsu == NULL) {
-            const char *rhostname;
-
-            retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname);
-            if (retval != PAM_SUCCESS || rhostname == NULL) {
-                retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu);
-            }
-        }
-
-        if (fromsu != NULL) {
-            tpwd = pam_modutil_getpwnam (pamh, fromsu);
-        }
-
-        if (fromsu == NULL || tpwd == NULL) {
-            if (ctrl & PAM_DEBUG_ARG) {
-                pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
-            }
-            return PAM_SERVICE_ERR;
+    tpwd = pam_modutil_getpwuid (pamh, getuid());
+    if (tpwd == NULL) {
+        if (ctrl & PAM_DEBUG_ARG) {
+            pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
         }
+        return PAM_SERVICE_ERR;
     }
+    fromsu = tpwd->pw_name;
 
     /*
      * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu
